The Healthcare Supply Chain Association released two guides that outline key privacy and cybersecurity considerations for medical devices, directed at healthcare delivery organizations and manufacturers.
The HSCA trade group represents 14 U.S. healthcare purchasing organizations, including for-profit and nonprofit health systems and provider entities. The new insights join earlier guidance on medical device threat modeling playbook from Mitre and the Medical Device Innovation Consortium, as well as an in-depth guide on the medical device security lifecycle from The Healthcare and Public Health Sector Coordinating Council.
HSCA began developing the insights after seeing the rapid shift in remote care and telehealth use in the healthcare sector amid the pandemic response, which solidified the “important role that information technology, software, and medical devices can play in improving patient care,” explained HSCA President and CEO Todd Ebert in a statement.
“However, as evidenced by recent cyberattacks, medical devices and services are vulnerable to cybersecurity threats that could jeopardize patient health, safety, and privacy,” he continued. “GPOs leverage their unique line of sight over the supply chain to help providers harness the benefits of technology to care for their patients while guarding against cyber threats.”
The guides aim to support both manufacturers and providers with protecting patient safety and privacy and include recommendations for medical device security terms and conditions for purchasing contacts to support the rapid adoption of cybersecurity measures in healthcare.
The cybersecurity measures and recommendations are broken down into four key categories, including cybersecurity training and software, equipment and acquisition standards and risk coverage, data encryption, and information sharing and standards organizations. The guide also shines a light on important terms and their possible security impact.
Healthcare security administrators will find key considerations for delivery organizations, such as the designation of a security officer responsible for building and maintaining relationships with industry stakeholders and recommended encryption requirements for data in transit.
There are also insights on contracting with manufacturers and what to avoid when procuring a device from a supplier or manufacturer. The recommendation is incredibly helpful, but only if a healthcare organization has successfully added the security team to the procurement process to ensure all devices brought onto the network are designed with security in mind.
One of the biggest gaps in medical device security is the lack of streamlined processes for procuring devices, IT, and systems for the enterprise, with 2018 data finding the average healthcare environment holds about 10,000 medical devices.
Lastly, the guidance has recommendations specific to device manufacturers and service suppliers, including evidence of compliance with industry standards and the information these parties should provide to healthcare organizations, particularly around legacy or vulnerable platforms.
HSCA Committee for Healthcare eStandards (ChES) Executive Director Curt Miller explained that as the use of connected medical devices and software as a service (SaaS) continues to increase in healthcare, the risks posed to patients and the enterprise have followed.
Particularly as the Department of Health and Human Services ramps up the interoperability efforts across the sector into the coming year, the guides can support the continued adoption and advances in IT and medical device infrastructure to better protect patient safety.
As previous Forescout data showed the majority of medical devices operate on legacy platforms, reducing the possible impact to the overall network is crucial because no medical device stands alone and there’s no way to completely eliminate the risk these devices pose.
Security researchers have long warned that device maintenance and security is a “shared responsibility of the manufacturers and suppliers of connected devices and services as well as the healthcare delivery organizations” leveraging the platforms.
“Providing this security is a continual effort that requires vigilance, adaptation, and ongoing communication and collaboration between the parties,” according to HSCA. As such, HSCA stressed the importance of joining and participating in an I-SAC or I-SAO, at the very minimum, and leveraging a risk assessment methodology and standards-based security framework, like NIST.
The trade group leadership urges all stakeholders to leverage the guidance to address the accelerated adoption of these devices to reduce the risk and improve “industry-wide data standards for improving efficiencies and safety throughout the healthcare supply chain.”